pub async fn promote(
db: &Db,
target_user_id: i64,
new_role: Role,
) -> Result<PromoteOutcome>Expand description
Change the target user’s role to new_role.
Refuses to demote the sole active administrator: if the target
currently holds Role::Administrator AND new_role != Administrator AND no OTHER active administrators exist, returns
PromoteOutcome::SoleAdministratorDemoteRefused. This guard
is per DESIGN_R4_EMERGENCY.md §3.4 — the framework refuses to
leave the deployment with zero administrators, even via CLI.
Atomic: the role-write + session-revoke are in one transaction
to preserve doctrine 22 single-writer semantics while keeping
the promote operation isolated from concurrent session reads.
Session revocation runs after commit per the
invalidate_sessions contract.